[KASP] Key rollover

Nick Tait nick at tait.net.nz
Wed Feb 15 08:59:51 UTC 2023 

On 14/02/23 05:39, adrien sipasseuth wrote:
> "You configure parental agents and named will check which DS’s are 
> published.  Named won’t complete the
> roll until it knows the new DS is published."
> => what is parental agent ? i don't find this term in Bind 
> documentation. From what I understand, you have to specify to Bind 
> that the new DS is published with the command: rndc dnssec -checkds 
> -key <id new ksk> published <my-zone>
Have a look at 
https://downloads.isc.org/isc/bind9/9.18.11/doc/arm/html/reference.html 
and search for "|parental-agents|"? (The basic idea is that BIND will 
automatically poll to see if the new DS has been published, rather than 
relying on you to run the rndc command.)
>
> "If it was me, I'd set the KSK to not roll-over automatically, and
> instead create a recurring reminder for yourself to initiate the KSK
> roll-over manually? That way you'd never get caught out with a KSK
> roll-over happening when you weren't prepared for it? "
> => I don't know if I can get a policy for ZSK and a manual method for 
> KSK. From what I understand if I want to use a policy I have to remove 
> "auto-dnssec maintain;" which is necessary for the manual method right?

You can configure your dnssec-policy to automatically roll the ZSK only, 
and then you can manually roll the KSK. Just set the policy to give the 
KSK an unlimited lifetime, e.g.:

dnssec-policy 90dayzsk {
         keys {
                 ksk lifetime unlimited algorithm ecdsa256;
                 zsk lifetime P90D algorithm ecdsa256;
         };
};

You can trigger the (KSK) roll-over with: rndc dnssec -rollover -key xxx

BIND will then schedule the creation of the new key, etc, and all you 
need to do is change the DS key (in the parent zone) at the appropriate 
time, then (if not using parental-agents) tell BIND that you've done it, 
and it will take care of retiring the old key.

>
> In the meantime, I wonder if I can't stay on the manual method even 
> with a bind 9.18? I read that the auto-dnssec directive might 
> disappear in favor of dnssec-policy. Does that mean that it might not 
> be possible to do it manually anymore? source here => 
> https://kb.isc.org/v1/docs/dnssec-key-and-signing-policy
See previous answer. IMHO transitioning to using dnssec-policy is 
definitely worth it! :-)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20230215/9b0da620/attachment-0001.htm>

More information about the bind-users mailing list